Unauthenticated Command Injection Vulnerability in Zyxel NAS326 Firmware
CVE-2024-29972
Summary
A critical unauthenticated command injection vulnerability has been discovered in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0. This vulnerability could allow an unauthenticated attacker to execute operating system commands through a crafted HTTP POST request. Zyxel has released patches for three high-severity flaws affecting these devices and advised users to apply them immediately. In addition to these three critical vulnerabilities, two other moderately severe flaws were also found. The devices reached end-of-life status, but Zyxel still decided to patch them for organizations with extended warranty. The vulnerabilities were discovered by Timothy Hjort, but at the time of reporting, there were no reports or evidence of in-the-wild abuse, although the methodology is widely available, indicating that it is likely just a matter of time before an exploitation is seen.
Affected Version(s)
NAS326 firmware < V5.21(AAZF.17)C0
NAS542 firmware < V5.21(ABAG.14)C0
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
BankInfoSecurityZyxel Releases Emergency Security Update for NAS Devices
Networking solutions vendor Zyxel fixed critical vulnerabilities in end-of-life network-attached storage devices that allow remote code execution. It left two
8 months ago
Help Net SecurityZyxel patches critical flaws in EOL NAS devices - Help Net Security
Zyxel has released patches for CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, which affect two of its EOL NAS devices.
8 months ago
References
CVSS V3.1
Timeline
- 📰
First article discovered by GBHackers on Security
Vulnerability published
Vulnerability Reserved